more than once.
As per my original mail above, these two commands will show you the
hidden processes.
First one asks chkrootkit why it thinks there is an LKM Trojan on the
system.
Second one is the helper script run by chkrootkit that lists the hidden
processes but can be run directly.
ginal mail above, these two commands will show you the
hidden processes.
First one asks chkrootkit why it thinks there is an LKM Trojan on the
system.
Second one is the helper script run by chkrootkit that lists the hidden
processes but can be run directly.
I am still seeing output from
Wackojacko on 16/08/08 13:02, wrote:
Ron Johnson wrote:
On 08/16/08 06:17, Wackojacko wrote:
Hi all
I realise there has been some discussion recently over the merits or
otherwise of chkrootkit, but the last two days it is warning of
hidden processes (ps and readdir).
After googling a littl
Wackojacko on 16/08/08 13:02, wrote:
Ron Johnson wrote:
On 08/16/08 06:17, Wackojacko wrote:
Hi all
I realise there has been some discussion recently over the merits or
otherwise of chkrootkit, but the last two days it is warning of
hidden processes (ps and readdir).
After googling a littl
Ron Johnson wrote:
On 08/16/08 06:17, Wackojacko wrote:
Hi all
I realise there has been some discussion recently over the merits or
otherwise of chkrootkit, but the last two days it is warning of hidden
processes (ps and readdir).
After googling a little further I see this has been a proble
On 08/16/08 06:17, Wackojacko wrote:
Hi all
I realise there has been some discussion recently over the merits or
otherwise of chkrootkit, but the last two days it is warning of hidden
processes (ps and readdir).
After googling a little further I see this has been a problem in the
past but w
Hi all
I realise there has been some discussion recently over the merits or
otherwise of chkrootkit, but the last two days it is warning of hidden
processes (ps and readdir).
After googling a little further I see this has been a problem in the
past but was unable to find any recent examples.
On Saturday 25 August 2007 00:43, Jude DaShiell wrote:
> Very easily. The very first thing the trojan did after installing itself
> was to call home. Home has the address of the trojaned machine. Home can
> then check up on its trojan and maintain it and activate it or repair it
> as necessary.
Note: top posting fixed. Please don't do that. Also overquoting trimmed.
On Sat, Aug 25, 2007 at 02:43:41AM -0500, Jude DaShiell wrote:
> On Fri, 24 Aug 2007, Mike Bird wrote:
>
> >On Friday 24 August 2007 17:59, Jude DaShiell wrote:
> >>how these trojans survive is by surviving operating syst
Very easily. The very first thing the trojan did after installing itself
was to call home. Home has the address of the trojaned machine. Home can
then check up on its trojan and maintain it and activate it or repair it
as necessary.
On Fri, 24 Aug 2007, Mike Bird wrote:
On Friday 24 Aug
On Friday 24 August 2007 17:59, Jude DaShiell wrote:
> how these trojans survive is by surviving operating system reinstalls.
> The better trojans hide themselves in several out of the way places on
> disks and after adjacent areas have got their new files copy themselves
> back into the areas wher
> how these trojans survive is by surviving operating system
> reinstalls. The better trojans hide themselves in several out of the way
> places on disks and after adjacent areas have got their new files copy
> themselves back into the areas where no more disk wiping by the installer
> is about to
how these trojans survive is by surviving operating system reinstalls.
The better trojans hide themselves in several out of the way places on
disks and after adjacent areas have got their new files copy themselves
back into the areas where no more disk wiping by the installer is about to
happen
On Fri, Aug 24, 2007 at 05:01:21PM -0700, Mike Bird wrote:
> Why do you believe a security erasure is needed rather than simply
> starting with a fresh block zero? If infected, the OP can use a
> Debian Installation CD and make new partition tables.
>
Good question. I've yet to hear a definit
On Friday 24 August 2007 16:16, Jude DaShiell wrote:
> Those trojans trash very many files whenever anyone tries surgery on them.
> That was found out in a security lab by security professionals. If you
> can get to a friends computer and download the dban iso file from
> http://dban.sf.net and bu
Those trojans trash very many files whenever anyone tries surgery on them.
That was found out in a security lab by security professionals. If you
can get to a friends computer and download the dban iso file from
http://dban.sf.net and burn that on a single session CD and boot it up on
the infe
On Fri, Aug 24, 2007 at 11:24:35AM -0400, John wrote:
> Today's run of chkrootkit produced the following ominous message:
[elided]
> Am I right in thinking the only thing to do is wipe the machine down
> to bare metal and reinstall? I'm not sufficiently knowledgeable to do
> much forensic checki
You have10 process hidden for readdir command
You have 121 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
eth0: PACKET SNIFFER(/sbin/dhclient3[5654])
--
Am I right in thinking the only thing to do is wipe the machine do
On Mon, 16 Aug 2004, Gregory Pierce wrote:
> In running chkrootkit (version 0.43) tonight I got the following
> warning:
>
> Checking `lkm'... You have16 process hidden for readdir command
> You have16 process hidden for ps command
> Warning: Possible LKM Tr
Incoming from Gregory Pierce:
>
> In running chkrootkit (version 0.43) tonight I got the following
> warning:
>
> Checking `lkm'... You have16 process hidden for readdir command
> You have16 process hidden for ps command
> Warning: Possible LKM Trojan ins
I ran "chkrootkit -x lkm" and I got the following output:
debian-dell:/home/gpierce# chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v
###
PID 15705: not in readdir output
PID 15705: not in ps output
CWD 15705: /home/gpierce
EXE 15705: /usr/bin/nautilus
PID 15710: not in readdir
Hello all,
In running chkrootkit (version 0.43) tonight I got the following
warning:
Checking `lkm'... You have16 process hidden for readdir command
You have16 process hidden for ps command
Warning: Possible LKM Trojan installed
But when I run chkrootkit from KDE it com
Hello all,
In running chkrootkit (version 0.43) tonight I got the following
warning:
Checking `lkm'... You have16 process hidden for readdir command
You have16 process hidden for ps command
Warning: Possible LKM Trojan installed
But when I run chkrootkit from KDE it com
Hi I am replying to the LKM trojan thing, i have seen this in my install
too.
Last night i reinstalled, and i 1>fresh install 2>unplugged the
net And run chkrootkit imiadiatly after install done.it said 3
processpossible trojan installed...i would have to believe thi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sat, Feb 07, 2004 at 10:35:20AM +0100, @(none) wrote:
> Does LKM trojan and the 0's mean that these 4 are sabotaged Loadable
> Kernel Modules?
Not necessarily. RTFArchives.
- --
.''`. Paul John
Hello '@(none)'!
On Sat, Feb 07, 2004 at 10:35:20AM +0100, @(none) wrote:
further to my 4 hidden processes, "ps" finds exactly 4 processes with
PID # 0!
[...]
[EMAIL PROTECTED]:/home/ijbd# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.1 0.076
Hi,
further to my 4 hidden processes, "ps" finds exactly 4 processes with
PID # 0!
See the scriptfile below.
I later found out that "top" numbers these processes as 3,4,5 & 6, same
sequence.
The names of the processes
I find this hard to understand:
Does LKM trojan and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Mon, Dec 22, 2003 at 08:38:59AM -0700, user list wrote:
> How do I diagnose this further, and if there is an LKM trojan, how do I
> remove it?
Please read the archives and chkrootkit's bug reports. This is likely
a known bug. Check
ave 4 process hidden for ps command
> Warning: Possible LKM Trojan installed
>
> How do I diagnose this further, and if there is an LKM trojan, how do I
> remove it?
>
> Art Edwards
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject o
I just ran chkrootkit on one of my machines at it turned up the
following:
Checking `lkm'... You have 4 process hidden for ps command
Warning: Possible LKM Trojan installed
How do I diagnose this further, and if there is an LKM trojan, how do I
remove it?
Art Edwards
--
To UNSUBS
On Sat, 29 Nov 2003 21:10:14 +0100, Thomas H. George wrote:
> I still must learn about the "/rr_moved" directory which blocks my
> backups but this is a separate issue so I will post a separate question.
man mkisofs, look for rr_moved in various capitalizations.
--
Best Regards, | Hi! I'm a .s
On Sat, Nov 29, 2003 at 09:39:30AM -0500, Thomas H. George wrote:
>
> I still must learn about the "/rr_moved" directory which blocks my
In case it helps : rr_moved is the name used for a special directory on
iso9660 filesystems when using Rock Ridge extensions. IIRC it is needed
because standard
On Sat, Nov 29, 2003 at 10:58:31AM -0500, Paul Morgan wrote:
> On Sat, 29 Nov 2003 05:49:31 -0500, Thomas H. George wrote:
>
> > chkrootkit reported possible LKM Trojan. 4 processes hidden for ps command.
> >
> > Before reformating the hard drive and reinstalli
On Sat, Nov 29, 2003 at 05:49:31AM -0500, Thomas H. George wrote:
> chkrootkit reported possible LKM Trojan. 4 processes hidden for ps command.
>
Are you aware to, for example, the section titled `Running chkrootkit'
of http://www.wiggy.net/debian/developer-securing?
I don
Thomas H. George wrote:
chkrootkit reported possible LKM Trojan. 4 processes hidden for ps
command.
Bug in chrootkit. Check Debian Bugs. Has been discussed here before.
Before reformating the hard drive and reinstalling Debian, started a dvd
backup using growisofs.
The backup of /usr was
Hello Thomas!
On Sat, Nov 29, 2003 at 05:49:31AM -0500, Thomas H. George wrote:
chkrootkit reported possible LKM Trojan. 4 processes hidden for ps command.
Wow, hold on, first check
chkrootkit -x lkm
and see whether the report only contains PID 3-6. If so then it's only
a bug, see
On Sat, 29 Nov 2003 05:49:31 -0500, Thomas H. George wrote:
> chkrootkit reported possible LKM Trojan. 4 processes hidden for ps command.
>
> Before reformating the hard drive and reinstalling Debian, started a dvd
> backup using growisofs.
> The backup of /usr was successful,
On Sat, Nov 29, 2003 at 05:49:31AM -0500, Thomas H. George wrote:
> chkrootkit reported possible LKM Trojan. 4 processes hidden for ps command.
Do you have any other evidence of the LKM Trojan, beyond chkrootkit's
output?
I think you may just be looking at a bug that's not yet be
On Sat, Nov 29, 2003 at 05:49:31AM -0500, Thomas H. George wrote:
> chkrootkit reported possible LKM Trojan. 4 processes hidden for ps command.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217278
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=219730
> Before reformating the hard dri
chkrootkit reported possible LKM Trojan. 4 processes hidden for ps command.
Before reformating the hard drive and reinstalling Debian, started a dvd
backup using growisofs.
The backup of /usr was successful, backup of /var failed with duplicate
names in /rr_moved.
Obviously I would like to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sun, Nov 16, 2003 at 04:52:56PM +, Richard Kimber wrote:
> > You just upgraded to unstable, eh? :-)
>
> It happens in testing too.
bugreport chkrootkit and look for the bug in question and attach that
information if you don't already see it.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sun, Nov 16, 2003 at 05:10:00PM +0100, Kjetil Kjernsmo wrote:
> (shouldn't this be more severe than wishlist, I mean, as the reporter
> says it almost gives people a heartattack...?)
No. /usr/share/doc/chkrootkit/README.Debian
- --
.''`. P
mmand
> > > Warning: Possible LKM Trojan installed
> >
> > You just upgraded to unstable, eh? :-)
>
> It happens in testing too.
> --
> Richard Kimber
> http://www.psr.keele.ac.uk/
>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Sun, 16 Nov 2003 17:10:00 +0100
Kjetil Kjernsmo <[EMAIL PROTECTED]> wrote:
> > Checking `lkm'... You have 4 process hidden for ps command
> > Warning: Possible LKM Trojan installed
>
> You just upgraded to unstable, eh? :-)
It happens in testing
On Sunday 16 November 2003 16:41, Gerard Ceraso wrote:
> Checking `lkm'... You have 4 process hidden for ps command
> Warning: Possible LKM Trojan installed
You just upgraded to unstable, eh? :-)
I did the same thing a few weeks ago, and was as shocked as you. But I
googled t
It seems that I have been infected with the LKM trojan. Below is what I
received from running chkrootkit. I was wondering is there is a way to
find out how I was infected, and more importantly is there a quick and
easy way to remove it.
Checking `lkm'... You have 4 process hidden f
See also bug report filed on chkrootkit:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217278
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Apart from the LKM trojan warning i'm also getting:
Checking `scalper'... Warning: Possible Scalper Worm installed
Running SID(update every day)
False alarm aswell i presume?
Cheers
At 20:18 28-10-2003 -0500, Thomas R. Shemanske wrote:
Micha Feigin wrote:
I got the following o
Micha Feigin wrote:
I got the following output from chkrootkit but couldn't find any
explenation on what processes don't appear:
Checking `lkm'... You have 4 process hidden for ps command
Warning: Possible LKM Trojan installed
I recently (two weeks) built a new box behind a fire
On Monday 27 October 2003 23:37, Micha Feigin wrote:
> Checking `lkm'... You have 4 process hidden for ps command
> Warning: Possible LKM Trojan installed
Uh-oh, I'm seeing this too... I have just upgraded to unstable...
Best,
Kjetil
--
Kjetil Kjernsmo
Astrophysicist/IT Co
I got the following output from chkrootkit but couldn't find any
explenation on what processes don't appear:
Checking `lkm'... You have 4 process hidden for ps command
Warning: Possible LKM Trojan installed
How do I check this?
I also got:
Checking `wted'... 1 deletion(s
51 matches
Mail list logo
